Slashdot Mirror
Microsoft Says Recovery From Malware Becoming Impossible
An anonymous reader wrote to mention an eWeek Story about Microsoft's assertion that PCs may no longer be able to recover from the most aggressive Malware. From the article: "[Danseglio] cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
Companies like Sony pushing rootkits onto unsuspecting customers is part of the trend toward stealth and aggressive rooting of machines. Once a serious worm that can spread quickly and hide deeply gets around, people will realize how serious an issue rootkits are.
Oh You POS
Ok, so why was there no diasaster recovery plan in the first place? Surely the thought of an uber virus wrecking Windows had to have been brought up at some kind of meeting? Those who fail to plan plan to fail. Plain & Simple
--Taladon
Like Sweepstakes? Try out my service @ http://www.yourpowersweeps.com -- Free 21 day trial, no cc needed.
I think any of us that work on computer systems long ago figured out that the rebuilding of a system is far easier than trying to remove each piece of malware. Now, in cases where there is critical data on the machine then it would be worth it to try. The fact is, but the time we hear about the issue, it isn't a matter of removing one or two pieces, it is usually closer to 20 or 30.
I'm a Mac user, and although I love OS X with all of my bits, I do think that if the same % population used it as currently uses windows, then there would be more serious problems with it.
:D
I'm sure it's much harder to get malware running on OS X, but if it becomes the platform most of your potential audience are using then malware developers will just try harder to make nasties for Mac.
So, in this respect, sometimes I'm glad for Windows + IE - simply because I don't have to use it
"damnit, trolley I want in your signature." - Elburrito
"Everyone needs to buy a copy of Windows Vista, which will solve the malware problem."
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.
Any sort of virus removal or system clean-up after being cracked is just a calculated risk that the attack will have been completely removed, based on the fact that doing a complete rebuild of a system and restoring all the backed up data is expensive, and while not cleaning up 100% after an attack is potentially more expensive, the probability of this is low.
And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives. I'd have told you this earlier and saved a dozen posts, but apparently it's been 4 minutes since I last successfully posted a comment, so I can't post another one yet... ;-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless.
Whereas, if they had been using thin clients with no local storage, the only recovery action would have been on the server. And if they had been running non-Windows on the server, they wouldn't have had these infestations in the first place. A full-blown Windows PC on every desktop in an enterprise is just an expensive welfare program for MCSE types.
"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here."
Now those sound like the words of someone who has 'been there and done that' more than a few times. If Microsoft is having those kinds of problems with the hardware, software, and expertise they have at their disposal, imagine the kinds of problem that 'Sam's Plumbing and Heating Co.' is having.
Sounds nice in theory... but what about those applications that legitimately require kernel hooks? You know... things like hardware and software drivers?
Which is worse? Allowing virtually anything to hook into the kernel (provided the running user has the rights) and potentially opening it up to rootkitting... or a user accidentally disabling all 3rd party kernel hooks which caused their anti-virus program's filter driver to stop working and not detect a more run of the mill virus causing them much pain and suffering?
Help Brendan pay off his student loans
Really, they had no way to wipe and restore on an automated process? Have they never heard of Ghost-EE? Multicasting?
I use ghost on my PC, thus when I plan on installing new software I do so, play with it, am sure I like it, then:
Restore latest clean system build image to machine,
Install target application, ensure functionality,
Create new latest clean system build image.
I store all my non-temporary data on a server PC anyway, so this is an ideal solution. One that should work in any enterprise environment as well (assuming that there are only 3-4 different builds).
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Yeah, because it's so easy to replace the 20+ programs that form the core of our business, and data migration's so easy a baby could do it. Please, try responding to the point that's actually raised here instead of going on and on about migrating to alternative systems. Many companies are simply not in a position to migrate their entire network.
Personally, I'd love to migrate us to Linux, but until I can replace CAD/CAM systems, accounting packages, design software, drawing packages, etc... that's simply not going to happen, and until it does happen I'm faced with the job of keeping our MS systems secure.
We've found that preventing web based scripts from running has kept us virus free for nearly two years now, but even then we're expecting to be hit by something sooner or later. If you're running a Microsoft network, it's worth putting a few weeks aside to get RIS / Ghost working well. Right now we're looking to take things a step further by running all our clients off a set of blade servers running virtual machines. There are cost savings to be had with the ease of maintenance and disaster recovery suddenly becomes a whole lot simpler.
When a *nix box gets rooted, generally standard practice says that you rebuild the box. I'm unsure if this is the case with Windows rootings. That is just the way it is.
Malware wants to be "sticky". I'm surprised it has taken this long to become truly difficult if not downright impossible to remove.
What I wonder is if people will just tolerate the unremovable malware instead of the frustration and/or time of reinstalling the OS and applications and getting everything just right all over again. It's one thing for system administrators and geeks to reinstall. It another thing entirely for the average user to have full/incremental backups or cloned drives or some set of procedures for reinstallation.
This is definitely an interesting situation.
the guys who with XP-SP1 tried to isolate everybody who had a common serial number?
MS has finally awakened and smells the coffee.
but I have no cup for them any more.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I'm coming to the point where I feel that the core Windows environment needs to be booted from CD, or some other read-only media that can't be altered. Yes, additional drivers and installed programs will need to boot from the hard drive, however, a Safe Boot option to run your virus scan from as part of the read-only boot could then be used to much more easy remove the malware.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
or you could just use linux.
Web Design
Once you've worked with a real X11 window manager, you can never go back to the crude hacks used on other platforms. Are you talking about an icon theme or something? Maybe you're thinking of KDE circa 1998?
You're talking about "de facto standards", not standards. Standards are publicly documented and have been the prime focus of Linux systems since before day 1. Undocumented, un-POSIX-compliant applications may be popular, but they are not "standards".
A nice try, but Unix-like systems have something that we call a "security model". Except in the case of people who refuse to apply updates or do things like purposefully disabling the firewall, this provides a level of protection that most other systems simply can't rival.
Think about it for a second. Apache with Linux or BSD run a huge majority of the servers on the Web. If you wanted to deliver spyware, you'd exploit and infect these systems with a delivery mechanism. The reason malware authors have to target the client OS with email worms and things that start their own mini-webservers is that it's just too freaking difficult to compromise Unix-like systems.
Of course, as long as the majority of client systems *do* run a swiss-cheesed NT variant with the security-hackaround-of-the-week, it's entirely theoretical as to whether a widespread change in client platforms would affect malware viability in that market.
As you work in the educational sector one would expect that retraining could be done in house and on the cheap. Also one would imagine that the vast majority of your users (i.e students) are to be taught how to use windows, so there is no difference as you would just teach them to learn gnome, etc. instead.
It sound like a case of you can't be bothered
I wasn't brining it up like: "Windows is a great OS, just overstreched" - I meant that if a better OS (even a linux distro) was the dominant OS on the desktop user market thing then malware people would just work harder and create products that eventually got around all the more advanced security.
"damnit, trolley I want in your signature." - Elburrito
It's a gamble. Building the new system represents a cost (in time and labor if nothing else). Retraining staff is a cost. Finding new apps, or secure work-arounds for existing apps, represents another cost. Dealing with the transition (helpdesk, troubleshooting, whining users, fixing incompletely transitioned apps) represents yet another cost.
On the balance side is the cost of a security breech which (insert your company's worst nightmare here). Or the cost of denying all your users all your computers for a period of time while things are all rebuilt. Of course it isn't guaranteed that either doomsday scenario is going to happen; simultaneously, it isn't guaranteed that either doomsday scenario is going to be limited to a single incident.
It's called risk management.
Put another way: is it worth taking a known, calculable, solid kick in the nuts to mitigate the risk that you might be repeatedly shot in the arm, chest, or head?
What is your business worth?
you should read everything on the internet as if it had "but I'm probably talking out of my ass" appended to it.
"With regard to scientific equipment: my experience (in a biotech firm) has been quite similar."
Mine too. Too often once the software's written for a piece of equipment a company wants to sell, the software unit gets disbanded (what, you wanted support?). So then you're stuck with whatever OS was current at the time for the lifetime of the equipment. So we have setups costing 10's to 100's of thousands of dollars controlled by PCs running Win 95/98. It would be nice to have these connected to the network to facilitate transferring data, but who wants to risk that?
OTOH, we have some old Mac 8100's running OS 9 controlling some equipment. Those have been connected to the network for years, and we haven't had a problem yet (as long as we can find mouse, keyboard and monitor replacements).
At least where I work, in the educational sector, that's impossible. The time spent retraining faculty and staff alone would outweigh the security benefits
Translation: I never have the time to do it right, but I always have the time to fix it!
I do think that if the same % population used it as currently uses windows, then there would be more serious problems with it.
"FYI, That statement has been proven to be FUD for quite some time now."
Um, how exactly? The only way it could be proven is if Apple had a significant share of the market. Which they don't, and won't. Nothing against Apple or Macs, it's just the numbers.
"But this one goes to 11!"
That statement has been proven to be FUD for quite some time now.
Actually, it hasn't been proven at all. It's not possible to prove it, as a matter of fact, without OS X being the dominant operating system on the market. The usual rebuttal, Apache vs. IIS, doesn't apply to anything but Apache and IIS.
Slashdot - where whining about luck is the new way to make the world you want.
i'm a mac user too and i couldn't disagree more with you, even if i tried.
/etc dir, and others) if neccessary. /sbin and /bin dirs from the live CD to the infected box. .bashrc to make sure they're clean
/etc/inittab or in a sysV/BSD style init script. there's nothing hiden from an administrator when you're dealing with a *NIX (such as MacOS X). can't say the same for Win* boxes with that maze of misteries called "registry".
i'm also a long time linux user (almost 10 years) and certified solaris administrator, and i can tell you exaclty _why_ a Unix or Unix look-a-like such as GNU/Linux are easiear than windows to clean and restore to a clean, working state: *NIXes are open.
open in the sense that you know exactly where things are, what they do, when they do and how. thanks in part to the long tradition of storing configurations on well documented clear text files.
more than once i had to clean gnu/linux machines infested with rootkits, and it was possible to do that in about 1 1/2 hour with a liveCD distro and a redhat/debian/suse/whatever set of disks from where to copy the original, clean packages.
basicly the proccess is:
- boot from the live distro;
- backup everything important (data files, $HOME dirs,
- copy good binaries of basic stuff from
- chroot to the mountpoint where you have the infected disk mounted. just make sure no infected binary gets executed when a profile/init script is executed when you chroot
- force install of clean packages from a known cd. make sure you replace the kernel and modules with good ones, just in case
- check the MD5 hashes of every possible package.
- check every init script or or profile scipts such as
- reboot to a clean box.
- apply every possible update.
anything that gets executed at boot time will be listed either in
What ? Me, worry ?
Why is there never any retaliation against the companies that produce this software?
Probably because the license agreement guarantees NOTHING, in great big capital letters. They exclude all warranties, including the statutory implied warranty of fitness for a particular purpose.
Software is sold on a "if it sucks, you lose" basis.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I'm not sure that I buy into this completely. Although there are certainly people out there who write malware for the sake of writing malware, I think that if everyone was running a system that was less inherently vunerable/insecure, that you would see criminals turning towards other ways of making money. The large-scale malware problems we're seeing today (e.g. botnetting) occur because it's profitable to write the malware, gather together a large net of bots, and then sell/lease/rent them out to someone for some malicious purpose. At some point, you can make it difficult or expensive enough to write the malware that it's no longer profitable to do that. It doesn't mean that the problem will disappear, but it might change -- criminals might put more effort into phishing and social engineering, rather than straight botnet+DDoS attacks.
That's kind of like arguing against putting a better lock on your door, because criminals are always going to figure out a way to break it. It's true, but really you don't need a lock that's strong enough to keep every criminal out, you just need to make it more secure than your neighbor's house. In OS terms, eventually you're just going to make it secure enough that it's easier to go after the user than break the system itself.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
And go to jail. Messing with the military's computers even to do something in a better way is a severe Career Limiting Activity. The military isn't a democracy, and likes things done through the chain of command.
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
The usual rebuttal, Apache vs. IIS, doesn't apply to anything but Apache and IIS
Well if one of the best analogies is dismissed as not relevant because they aren't the same as OS's, wouldn't the idea that OS X would have the same problems as Windows also be dismissed because OS X is not the same as Windows? There is either a relation between poor security and popularity or their isn't.
"I use a Mac because I'm just better than you are."
When people discuss the costs of *retraining* to use linux they're implying they've already trained their staff once before to use Windows. In many cases this isn't true - most users can't use Windows in the sense one can use Linux. Most windows users never add hardware, uninstall software, change the registry, edit a config file, update a package, etc... basic system tasks, but just click blindly in front them towards the light, or else they wouldn't shout "i've deleted the internet" , or get infected with malware by clicking "hot pics!!!!, downloading, install? , yes."
of course, the poor it department burdered with fixing their mess, a power windows users. but why? certainly all their jobs - adding scheduled tasks, performing a system upgrade, fixing the server are much easier in linux.
Why is there never any retaliation against the companies that produce this software?
Or it could be in the cases you cited, what was done was done very publicly, so the person responsible was easy to find. Now if you know who is responsible for the malware in question, why don't you let the FBI know and see what happens?
Its no odder than the fact that I got a speeding ticket when I sped past an unmarked police car, but they haven't found the person who broke several windshields in the neighborhood a while back.
The basic problem is that there is no such thing as proof by analogy. It doesn't matter how good the analogy is.
Slashdot - where whining about luck is the new way to make the world you want.
IT in the government is an absolute fucking joke. Take it from me, because I work in it. The amount of money that is pissed away on useless, broken, or otherwise unecessary shit is astounding.
On top of that, the people who actually make the decisions, have no fucking clue what they are doing.
All your base are belong to Google.
"A Mac-user with common sense!"
It's not common sense. It's wrong.
Microsoft is in a unique position. Because it has a virtual monopoly, Microsoft makes more money when its software has a lot of security vulnerabilities. For those who are ruled by money, morality has no force; "Maximizing Shareholder Value" is the way they live their lives.
Microsoft makes more money if it pressures its programmers to work too fast, so that they are sloppy, and then releases buggy software. Many people are fascinated by computers, and easily accept the world that Microsoft has created for them.
Here's a story about a Microsoft VP saying, "Oh, the next Windows operating system will be secure": "Safety and security is the overriding feature that most people will want to have Windows Vista for" .
So, Microsoft is once again telling us "The next version of Windows will be the good one." Before, Microsoft said Windows XP was "Built to be Dependable".
However, Vista will NOT include virus protection. Jim Allchin, co-president of Microsoft's platform products and services division told CRN, an industry magazine this:
CRN: In terms of security, how do you compare security in Vista vs. security in Windows XP SP2?
Allchin: SP2 was a very good system but compared to Vista, it's night and day.
CRN: Is there going to be antivirus in Vista?
Allchin: No, there is not.
CRN: Why?
Allchin: It's a complicated answer as to why not.
CRN: Was the decision based on technical concerns?
Allchin: It wasn't technical.
CRN: Will Vista resolve security problems once and for all?
Allchin: I'm not going to claim perfection or near perfection, but I think we're unrivaled in the work we've done. I believe security will be a huge problem for the industry for years and years and years but this will change the landscape in a fairly dramatic way.
Once again, Microsoft is taking advantage of the fact that most of its customers have little technical knowledge. Mr. Allchin said that "security will be a huge problem for the industry for years and years and years".
Microsoft charges for OneCare Live. That's another way to make money. Make sloppy software, and then sell protection against the sloppiness.
Note the emphasis on "beta testing" in Mr. Allchin's statements in the CRN interview. Someone said that Microsoft's motto is "The whole world is our beta tester."
--
Before, Saddam got Iraq oil profits and paid part to kill Iraqis. Now a few Americans get Iraq oil profits, and American citizens pay to kill Iraqis. Improvement?
Newsflash, you ARE at war. Iraq, Afghanistan etc. Its the united nations and the EU that has to come in and clean up your shit. I say kick the UK out of the EU as a rogue nation, Denmark too and any other rogue nations "at war" under a "flag of convience"
This is an admission of failure on Microsoft's part. The complexity and inflexibility of such a system is unacceptable and the efficacy is questionable. What's keeping the bad guys off your image server? If they root that, they have every machine in your organization. The same kind of thing can be said of local image copies, you are moving the target not fixing the root problem which is an unacceptably poor security model. The cost of all of this is a complete loss of user freedom within the organization. If your users can't chose the tools they need, they can't do the work that makes the company run. "Standardized desktop" a euphemism for vendor lock in.
Friends don't help friends install M$ junk.
So whats this "War on " crap, just because you do not "ration" does not mean you are not at war. Open your eyes fool.
YOu might have to delete $home in some cases but being basically a Unix variant, the system itself should be relatively immune from a system-wide infection.
I'd much rather restore my system files than $home.
Its like the worst parts of 1984 mixed with the worst parts of Brave New World. Dammit, if you're gonna take away my freedoms, at least give me soma and orgies, not another goddamn war.
I didn't realize it was analogy. I could have sworn it was a hypothesis with predictions. The prediction was that higher use results in a higher rate of being attacked and hence a higher rate of being exploited. To simple dismiss the Apache vs IIS argument without any basis places everyone else in the position to do the same with Windows vs Linux or Windows vs Mac OS X.
The simple face is, Apache vs IIS does prove the simple argument that the ratio of users to exploits is higher relative to other competitors doesn't work. Whether or not there is in fact another model that fits is certainly an interesting question. But good luck not making a completely esoteric model that works but only applies to a very small subset of the industry.
Eurohacker European paranoia, gun rights, and h
Um, how exactly? The only way it could be proven is if Apple had a significant share of the market. Which they don't, and won't.
Wouldn't this mean you can neither argue for nor against it, since it's only theoretical? It sounds like you're using this as a point to argue against it?
I work for the Department of Redundancy Department.